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Abstract —An improved Present Future form (PF form) for linear time p-calculus (vTL) is presented in this paper. In particular, the future part 
of the new version turns into the conjunction of elements in the closure of a formula. We show that every closed vTL formula can be 
transformed into the new PF form. Additionally, based on the PF form, an algorithm for constructing Present Future form Graph (PFG), which 
can be utilized to describe models of a formula, is given. Further, an intuitive and efficient decision procedure for checking satisfiability of the 
guarded fragment of vTL formulas based on PFG is proposed and implemented in C++. The new decision procedure has the best time 
complexity over the existing ones despite the cost of exponential space. Finally, a PFG-based model checking approach for vTL is discussed 
where a counterexample can be obtained visually when a model violates a property. 

Index Terms —Linear time /j-calculus, present future form graph, satisfiability, decision procedure, model checking. 
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1 Introduction 


L inear time /r-calculus (vTL) m, linear time counterpart of 
modal /i-calculus El, extends LTL [T| with least and greatest 
fixpoint operators. It is a formalism succinct in syntax and strong 
in expressive power which captures the expression of full oj- 
regular properties (4), (5J- Hence, it is useful for specifying 
and verifying various properties of concurrent programs and has 
received ever growing interest in the past few decades. From an 
application point of view, it is of great significance to establish 
a decision procedure for checking satisfiability of vTL formulas. 
The work, however, is not easy due to the nesting of fixpoint 
operators. 

Satisfiability and model checking [6) are two main decision 
problems for vTL, which are both PSPACE-complete in complex¬ 
ity m By satisfiability we denote the problem to find a decision 
procedure for determining whether a formula is satisfiable, while 
by model checking we mean the problem to decide whether 
all paths of a given Kripke structure satisfy a certain property. 
Moreover, decision procedures for checking satisfiability always 
play a critical role in deriving model checking approaches. 

A lot of work has been done for achieving efficient decision 
procedures. The major milestone of the decision problems for 
modal /j-calculus is made by Streett and Emerson (8) who intro¬ 
duce the notion of well-founded pre-models and apply automata 
theory to check satisfiability. Related methods 0, |10| translate 
a formula into an equivalent alternating tree automaton and then 
check for emptiness. In (Tj, Vardi first adapts Streett and Emer¬ 
son’s method to vTL with past operators which yields an algorithm 
running in 2 0< ^ \ Later, Banieqbal and Barringer fill show that if 
a formula has a model, then it is able to generate a good Hintikka 
structure which can be further transformed into a good path 
searching problem from a graph. Their algorithm is equivalent 
in time complexity to Vardi’s but runs in exponential space. In 
»12l . Stirling and Walker present a tableau characterisation for 
vTL’s decision problems without mentioning complexity issues. 
Bradfield, Esparza and Mader m improve the system of Stirling 
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and Walker based on the work in lfl4ll by simplifying the success 
conditions for a tableau and their algorithm runs in 2 0( ^“ log ^. 
In Da, Dax, Hofmann and Lange propose a decision procedure 
for checking validity of vTL formulas running in 2 0(| ^" log W and 
implemented in OCAML. To the best of our knowledge, all 
these existing decision methods mentioned above except for m 
are relatively complicated and concerned with theoretical aspects 
rather than practical applications. Therefore, we are motivated to 
formalize a more efficient and practical decision procedure. 

To this end, a new Present Future form (PF form) for vTL 
formulas is presented in this paper and we prove that every closed 
vTL formula can be transformed into this form. Compared with 
DU, the definition of the new PF form, which still consists of 
the present and future parts, is more elegant: the present part 
remains unchanged while the future part turns into the conjunction 
of elements in the closure of a given formula. This further 
facilitates the proof of finiteness of Present Future form Graph 
(PFG) which can be used to describe models of a formula. A 
path in a PFG characterizes exactly a pre-model 0, (8) of the 
corresponding formula. Additionally, an algorithm, based on PF 
form, for constructing PFG is given. In a PFG, an edge may be 
associated with a mark which is a subset of variables occurring 
in the formula and utilized to keep track of the infinite unfolding 
problem for least fixpoint formulas. Further, a decision procedure 
for checking satisfiability of the guarded fragment of vTL formulas 
based on PFG is presented. It is realized, with the help of marks, 
by searching for a v-path in a PFG on which no least fixpoint 
formula unfolds itself infinitely. Moreover, the decision procedure 
has been implemented in C++. The result shows that our method 
improves the current best time complexity, 2 0(l ^ l ' log ^ l) fl3l , fl4l , 
021, to 2°w despite the cost of exponential space. 

According to the proposed decision procedure, a PFG-based 
model checking approach for vTL is also proposed. To do so, first, 
an algorithm for constructing the product of a Kripke structure and 
a PFG is presented. Subsequently, we apply the notion of v-paths 
in PFGs to the product graphs. Further, given a Kripke structure M 
and a desired property 0, the model checking approach is achieved 
by searching for a v-path in the product graph of M and the PFG of 
-i0. If such a path can be found, we will obtain a counterexample; 
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otherwise, M satisfies fi. 

The idea of this paper is inspired by the normal form and 
normal form graph of Propositional Projection Temporal Logic 
(PPTL) jl7| . II Si which have played a vital role in obtaining a 
decision procedure for checking the satisfiability OH, ED, ED- 
Compared with the existing methods for checking satisfiability of 
vTL formulas, our decision procedure has the following advan¬ 
tages: (1) it does not depend on automata theory by considering 
PFGs; (2) it is more efficient in time and practical meanwhile; 
(3) it gives good insight into why and how a given formula is 
satisfiable through its PFG; (4) when a Kripke structure violates a 
property, it intuitively reflects that why a path is a counterexample 
through the corresponding product graph. 

To summarize, our contributions are as follows: 


i.e. negations can be applied only to atomic propositions and each 
variable occurring in a formula is bound at most once. 

For each bound variable A in formula < p, the unique subformula 
of fi in the form of crX.tp is said to be identified by X. The bound 
variables in fi can be partially ordered based on the nesting of 
their identified fixpoint formulas. Specifically, given two bound 
variables X and Y in fi, we say X is higher than Y iff the fixpoint 
formula identified by Y is a proper subformula of the one identified 
by X. 

A formula is called a guarded one if, for each bound variable 
X in that formula, every occurrence of X is in the scope of a 
O operator. Every formula can be transformed into an equivalent 
one in guarded form (23). Note that the transformation causes an 
exponential increase in the size of a formula in the worst case (24l . 


• We define a new PF form for vTL formulas and prove 
that every closed vTL formula can be transformed into this 
form. 

• We provide an algorithm for constructing PFG which can 
be used to describe models of a formula. During the con¬ 
structing process, marks are technically added, which are 
useful in keeping track of the infinite unfolding problem 
for least fixpoint formulas. 

• We introduce the notion of v-paths and present a decision 
procedure for checking satisfiability of the guarded frag¬ 
ment of vTL formulas by finding a v-path in a PFG. 

• We show that our decision procedure has the current best 
time complexity. We implement the decision procedure 
in C++ and experimental results show that our algorithm 
performs better than the one given in |15) . 

• We apply the notion of v-paths in PFGs to the product 
graphs and propose a PFG-based model checking approach 
for vTL. 

The rest of this paper is organized as follows. The syntax and 
semantics of vTL and some basic notions are introduced in Section 

[2] The new PF form of vTL formulas is presented in Section 

[3] Section |4] describes an algorithm for constructing PFG and 
the decision procedure for checking satisfiability of the guarded 
fragment of vTL formulas based on PFG is given in Section [5] 
Section [6] presents a model checking approach for vTL based 
on PFG. Related work is discussed in section [7] Conclusions are 
drawn in Section [8] 

2 Preliminaries 

2.1 Syntax and Semantics of vTL 

Let P be a set of atomic propositions, and *V a set of variables. 
vTL formulas are constructed based on the following syntax: 

fi ::= p | -ip | X | fi V fi | <f> A fi | O <t> I pX-fi \ vX.fi 

where p ranges over P and X over 'V. 

We use or to denote either p or v. An occurrence of a variable 
A in a formula is called free when it does not lie within the scope 
of crA; it is called bound otherwise. A formula is called closed 
when it contains no free variables. Given two vTL formulas fi\ 
and fi 2 , we say (/>\ < (f >2 iff fii is a subformula of <f >and fi\ < fi 2 
iff fi 2 is a proper subformula of <f>\. We write fi[fi'/Y] for the 
result of simultaneously substituting fi ' for all free occurrences of 
variable Y in fi. For each variable A in a formula, we assume that 
A is bound at most once. Thus, it can be seen that all formulas 
constructed by the syntax above are in positive normal form (22), 


Example 1. Translating formula vX.(p A pY.{q V A A OF)) into 
guarded form. 


vX.(p A pY.(q V A A OF)) 

= vX.(p A (q V A A Q uY.(q V A A OF))) 
by law <rX.fi = fi[crX.fi/X\ 

= vX.(p A qW p A OpYfq V A A OF)) 
by law vX.(X A 1 py tp) = vX.(fi V tp) 


vTL formulas are 
linear time structure 
N denotes the set of 
formula fi, relative to 
inductively defined as 

llplf 
Il-Plf 
IIAIlf 
1<P V fi ]]f 
1<P A fijf 

K>]f 

WpX.p^ 

llvA^Hf 


interpreted over linear time structures. A 
over P is a function 70 N —> 2 P where 
natural numbers. The semantics of a vTL 
7C and an environment e : ‘V —» 2 N , is 
follows: 

:= {i £ N | p £ 701) ( 

= {/ e N | p £ 7 C(/)} 

= e(A) 

= Mfuwf 
= IIV Ilf n |[</C 
= \i £ N | / + I 
= n{W £ N | I?]*, c W} 

= U(WcN|Wc[4W 


where e[X t-+ W] is the environment e' agreeing with e except for 
e'(A) = W. e is used to evaluate free variables and can be dropped 
when fi is closed. 

For a given formula fi, we say fi is true at state i of linear 
time structure 70 denoted by 70 i |= fi, iff i £ . We say fi is 

valid, denoted by |= fi, iff C K, j \= fi for all linear time structures 7C 
and all states j of 7C; fi is satisfiable iff there exists a linear time 
structure 7f and a state j of 7C such that '70 j |= fi. 


2.2 Approximant 

Let Ord denote the class of ordinals. Approximates of fixpoint 
formulas are defined inductively by: p°X.fi = _L, v°X.fi = T, 
<r a+l X.fi = fi[cr a X.fi/X\, p A X.fi = \J a<A p"X.fi and v l X.fi = 
A a <A v“A .fi where a, A £ Ord. In particular, A is a limit ordinal. 

The following lemma |25l is a standard result about approxi- 
mants. 

Lemma 1. For a linear time structure 70 we say 70 0 |= vX.fi 
iff Vor e Ord, 70 0 |= Y^X.fi and 70 0 |= pY.fi iff 3a £ Ord, 
70 0 |= p" Y.fi. ( ED) 

Note that in both cases above, a is not a limit ordinal. 

Let fi be a closed vTL formula with exactly n /r-variables: 
A 1 ,..., A„ such that A, is higher than Aimplies i < j. A p- 
signature for fi is a tuple f = (ai,..., a„) £ (NU {m})" where each 
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a,- is an ordinal. A //-signature with respect to a variable 7 in f is 
the prefix (oz,..., or,-) of £ such that Y = X , when Y is a //-variable, 
or Xj is the last //-variable higher than 7 when 7 is a v-variable. 
We write f(i) for the z'-th component of f. For two //-signatures tj\ 
and tj 2 f° r f, we write A < £ 2 to mean that A lexicographically 
precedes A. he. AO) < AO) and A (z) = A(0 for some j and 
each i < j. Note that the lexicographic ordering on //-signatures is 
well-founded. 

For a linear time structure 7C and a state j of 'K, we say %, j |=^ 
f if i'K, j) is a model of f resulting from f with every least fixpoint 
subformula pXj.cpj of f being interpreted by // (,) X;.0;. 

2.3 Closure 

The closure CLif ) of a formula f, based on 1261 . is the least set 
of formulas such that 

(i) f, true 6 CLif), 

(ii) if^VzA'ori/zAi/re CLif), then p £ CLif) and ifj e CLif), 

(iii) if Op e CLif), then p e CLif), 

(iv) if crX.p £ CLif), then p[crX.plX\ £ CLif). 

Example 2. The closure of formula vX.pYfOY V p A OX). 

CL{yX.pY.(OY V p A OX)) = 

[vX.pY.iOY V p A OX), true, 
pYfOY V p A OvX.pY.iOY V p A OX)), 

OpY-iOY Vp A OvX.pYfOY V p A OX)) 

Vp A OvX.pYfOY V p A OX), 

OpYiOY Vp A OvX.pYfOY Vp A OX)), 
p A OvX.pYfOY Vp A OX), 
p, OvX.pYfOY Vp A OX)) 

It has been proved that the size of CLif) is linear in the size 
of f (denoted by |0|) 126j . 

2.4 Dependency Relationship 

Definition 1. For two formulas crX.f and crY.f where crX.f < 
crY.f, we say Y depends on X, denoted by X < 7, iffX occurs free 
in f. 

Note that the dependency relationship is transitive in a formula. 
Example 3. Dependency relationship between variables. 

I. vX.(OX A pYfp V OY)) 

II. vX.pYfOY V p A OX) V pZ.vWfOZ V q A OW) 
m. px.vYfox v pZ. o (z v 7 a p)) 

In formula I, X and 7 do not depend on each other. In formula 
II, we have X<Y and Z<W, while in formula III we have X<Y<Z. 

3 PF Form of vTL Formulas 

In this section, we first define PF form of vTL formulas and then 
prove that every closed vTL formula can be transformed into this 
form. 

3.1 PF Form 

Definition 2. Let f be a closed vTL formula, the set of a tomic 
propositions appearing in f. PF form off is defined by: 

n 

f = V Wpi A O <Pf) 

i= 1 

where f Pi = A/|Li Pit" Pih e for each h (r denotes either r or 
-i rfor each r e P^,) and fy = A"„ 2 =i Am. Am e CLff)for each m. 


The main difference between the PF form presented here and 
the one in ||16| lies in the future part: in this paper, the future part 
is the conjunction of elements in the closure of a given formula 
rather than a closed formula in 1161 . Thus, it can be seen that the 
PF form presented here is more rigorous in structure and this will 
dramatically simplify the proof of finiteness of PFG. 

In the following, we prove that every closed vTL formula 
can be transformed into PF form. For technical reasons, from 
now on we confine ourselves only to guarded formulas with no 
V appearing as the main operator under each O operator. This 
can be easily achieved by pushing O operators inwards using the 
equivalence OOA V fi) = Of\ V 002- 

Theorem 2. Every closed vTL formula ip can be transformed into 
PF form. 

Proof. Let Con /(A) represent the set of all conjuncts in formula 
A- The proof proceeds by induction on the structure of ip. 

• Base case: 

- <p is p (or -i p): p (or -ip) can be transformed as: 

p = p A O true ior -ip = -ip A O true) 

The theorem holds obviously in these two cases. 

• Induction: 

- <p is Of'- Of can be written as: 

Of = \J (true A OA) 

i 

For each f c e Con jiff, we have f c 6 CLip) since f e 
CL(</>). Hence, ip can be transformed into PF form in this 
case. 

- tp is Ai V fy. by induction hypothesis, both f\ and f 2 can 
be transformed into PF form: 

n m 

At = \/ A Of Iff, 02 = \/ (<t>2 Pj A 002/,) 
i=l 7=1 

where f lc e Conjif tf .) and f lc e ClffD, fic e Conjif 2fj ) 
and 0 2 c £ CLiff), for each i and j. Then, we have 

n m 

<P = f\Vf 2 = \J ifl Pi a Of if) V \J ifipj A 002/,) 

i=l 7-1 

Since f\ V 0 2 e CLip), we have f\,f 2 £ CLip). For each 
0i c £ Conjifif), by induction hypothesis, we have f\ c £ 
CL(0i). Therefore, f\ c £ CLip). Similarly, we can obtain 
that each f 2c £ CLip). Thus, p can be transformed into PF 
form in this case. 

- p is 0i A 0 2 : by induction hypothesis, both 0i and f 2 can 
be transformed into PF form: 

n m 

01 — \J if l pi A Of If), <h = \J (02;;, A 002/,) 

i= 1 7=1 

where f lc £ Conjifif) and f ic £ CL(0i), f 2c £ Conjif 2fj ) 
and 0 2c £ CL(0 2 ), for each i and j. Then p can be further 
converted into: 

n m 

p = 0i A 0 2 = i\j ifi p . A Of If)) A i\J if 2pj A 002/,)) 
1=1 7=1 

n m 

= \f \f if l Pi A 02p, A 0(01/ A 02/,)) 

;=1 7=1 
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Since 0i A 02 £ CL(p), we have 0i,02 £ CL(p). For 
each (p\ c G Conj((f >\/;), by induction hypothesis, we have 
0i c G CL(0i). Hence, 0i c G CL(p). Similarly, we can 
obtain that each 02c £ CL(p). Therefore, all conjuncts 
behind O operators in p belong to CL(p) and p can be 
transformed into PF form in this case. 

- p is iuX.tp: let p x be an atomic proposition where || px 11^ = 
lpX.ft K w.r.t. a certain linear time structure 7C. As a 
result. (p[p x /X\ can be treated as a closed formula. By 
induction hypothesis, cf>[px/X] can be transformed into PF 
form: 

n 

flPx/X] = V(*» A o fiflPx/X]) 

1=1 

Due to the restriction of guarded form, p x can only appear 
in the future part of the above PF form. Suppose 

U i = {0/,, ■ ■ ■ ,0/ m }, = {0/„ +1 ,. ■. ,0/,} 

where each 0y G C /1 (j G {l,...,m}) does not contain 
Px while each <pf t G IA (k £ {m + l,...,n}) contains 
Px- By induction hypothesis, for each 0 r / £ Con jiff.) 
and <f> ck [px/X\ G Conjifi fk ), we have <p c j,<Pck[Px/Xi e 
CL(0[px/^’])- Since pX.0 = f[pX.(/>/X], then ip can be 
converted into: 

n 

if = 0[/iX.0/X] = \/(0 A A O0y; ^-0/Px]) 

i=i 

For each <p c j G CL(0[px/X]), after the substitution of 
pX.cp for px, we can still have f c j G CLi<p[pX.<p / px\). 
Since flpX.f/ p x \ = 0[/iX.0/X] and <f>[pX.(f>/X\ G CLip), 
then <p c j £ CLip). For each f c k[px/X\ G CLif[p x /XJ), 
after the substitution of pX.f for p x , we can fur¬ 
ther obtain cf> c k[pX.f/ p x ] £ CLif[pX.f/ p x ]). Since 
0[/iX.0/px] = </>[pX.f/X] and flpX.f/X] G CLip), we 
have c/) c k{pX.(/)/ px] £ CLip). Therefore, p can be trans¬ 
formed into PF form in this case. 

- p is vX.f: this case can be proved similarly to the case p 
is pX.fi. 

Thus, it can be concluded that every closed vTL formula can 
be transformed into PF form. □ 

3.2 Algorithm for Transforming a vTL Formula Into PF 
Form 

In this section we present algorithm PFTran for transforming 
a closed vTL formula 0 into PF form. The basic idea of the 
algorithm comes directly from the proof of Theorem [2] Thus, its 
correctness can be ensured. 


Algorithm 1 PFTran(0) 

1: case 

2: 0 is true: return true A O true 

3: 0 is false: return false 

4: 0 is fi p where fi p = /\'j 1=l pi return fi p A Qtrue 

5: 0 is 0 p A Op', return A CM) 

6: 0 is Op: return f ftriie A CM) 

7: 0 is 0i V 02: return PFTran{<p\) V PFTranfpf) 

8: 0 is 0i A 02: return AND(PFTran{<t>\), PFTranfpi)) 

9: 0 is crX.p: return PFTran(p[o-X.p/X ]) 

10 : end case 


In algorithm PFTran, if 0 is true or false, the transformation 
is straightforward; if 0 is (f> p where (f> p = Aa=i Ph , its PF form is 
4>p F O true', if 0 is f p A CM * ts PF form is V;(0/> A CM); if 0 is 
Op, its PF form is \Jftrue A CM); if 0 is 0i V 02, the algorithm 
calls itself to transform 0i and 0 2 into PF form respectively; if 0 
is 0] A 02, the algorithm also calls itself first to transform 0i and 
02 into PF form respectively and then converts 0i A 02 into PF 
form by algorithm AND', if 0 is crX.p, the algorithm transforms 
p[crX.plX\ into PF form. 

Algorithm 2 AND(0, p) 

1: if 0 is of the form V/(0; A O 0-) and p is of the form V ji<Pj A 
CM') then 

2: return V; Vy(0/ A <Pj A 0(0- A </ ) ')) 

3: end if 


Algorithm AND is used by PFTran to deal with the A con¬ 
struct. Note that the inputs 0 and p for AND are both in PF form. 
Therefore, 0 must be of the form V<(0; A O0O while p of the form 

VjQPj A O')- 

In the following, we use an example to demonstrate how 
to transform a closed vTL formula into PF form by means of 
algorithm PFTran. 

Example 4. Transforming formula vX.(r A CM) A pY.iq V p A OF) 
into PF form by algorithm PFTran. 

PFTraniyX.ir A OX) A pY.(q V p A OF)) 

= AND{PFTran(vX.(r A OX)), PFT ranipY.(q V p A OF))) 

= AND{PFTranir A O vX.(r A OX)), PFTran(q V p A OpY.iq 
Vp A OF))) 

= AND(r A O vX.(r A OX), PFTran{q) V PFTranip A OpY.iq 
Vp A OF))) 

= AND{r A O^X.lr A OX), q A O true V p A OpY.(q V p A OF 

)) 

= r Aq A O vX.(r A OX) V r A p A 0(vX.(r A OX) A pF(g V p 
A OF)) 

PF form enables us to convert a formula 0 into two parts: 
the present and future ones. The present part is a conjunction of 
atomic propositions or their negations in 0, while the future part 
is a next formula consisting of the conjunction of formulas in 
CL(0). To make 0 satisfied, the present part should be satisfied at 
the current state while the future part at the next one. Further, we 
can repeat the transformation process by converting each formula 
in the future part into PF form, which inspires us to construct a 
graph, namely Present Future form Graph (PFG), for describing 
models of 0. This will be discussed in the next section. 

4 Present Future Form Graph 

4.1 Definition of PFG 

For a closed vTL formula 0, the PFG of 0, denoted by G lfl , is a 
tuple (N,p, Et/,,no) where N$ is a set of nodes, Eq a set of directed 
edges, and hq the root node. Each node in N$ is specified by 
the conjunction of formulas in CL(0) while each edge in Eq is 
identified by a triple (0o,0 P , 0i), where 0o, 0i £ N$ and 0 C is the 
label of the edge from 0o to 0i. An edge may be associated with 
a mark which is a subset of variables occurring in 0. 

Definition 3. For a given closed vTL formula tp, N r/) and E,,, can 
be inductively defined by: 










true, {X} 


ra 0 : pX.(pVQX) 
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n 0 : pX.(p V QX) V vY.(q A 0*0 
n\\ true 712 : X 713 : Y 



Fig. 1. An example of PFG 

1) n 0 = (/>€ A^; 

2) For all tp € N$\ [false], if ip = V/=i(V/>, A Oipf), then 
<Pf e IV 0 , (</>, <p pi ,tpf) e £> for each i (1 < i < k). 

In a PFG, the root node is denoted by a double circle while 
each of other nodes by a single circle. Each edge is denoted 
by a directed arc with a label and also possibly a mark that 
connects two nodes. To simplify matters, we usually use variables 
to represent the corresponding fixpoint formulas occurring in a 
node. An example of PFG for formula pX.(p V OX) V vY.(q A OT) 
is depicted in Fig.Q] There are four nodes in the PFG where no is 
the root node. (no,q,nf) is an edge with label being q and mark 
being {T) while (no,p,nf) is an edge with label being p and no 
mark. 

4.2 Marks in PFG 

From Fig. Q] we can see that there may exist a path in a PFG, e.g. 
no, true, (« 2 , true) 10 , which arises from the infinite unfolding of a 
least fixpoint formula. Thus, marks are useful in a PFG to keep 
track of the infinite unfolding problem for least fixpoint formulas 
when constructing the PFG. 

Definition 4. Given a PFG G^ and a node f m £ /V {4 where <p m = 
V /= 1 (0a>, A Off)- The mark of edge (f m ,<p pr <pf) (1 < i < k) is a 
set of variables M r such that for each X E M v , the fixpoint formula 
crX.fx identified by X appears as a subformula of <pj. and has not 
been unfolded by formula vY.fy where Y is higher than X in the 
PF form transformation process. 

We use the notion of //-signatures to demonstrate how to add 
marks to a PFG. Intuitively, a variable X is added to a mark in a PF 
form transformation process if the unfolding of the corresponding 
formulas does not increase the //-signature w.r.t. X. As a result, 
we can use marks to detect the infinite descending chains of //- 
signatures. 

When transforming a formula into its PF form, the occurrence 
of a fixpoint formula crX.fx in the future part <pf t may be caused 
by the unfolding of: (I) itself, (II) a least fixpoint formula pY.fy 
where Y is higher than X, or (III) a greatest fixpoint formula vZ.fz 

no-- vZ- O (0[ P Y.(f vor))A Z) 
ni: (X A Z ri2 : Y A A Z 




Fig. 3. How the marks work 

where Z is higher than X. According to Lemma 3.5 in (8], the 
//-signature w.r.t. X does not increase unless the case III happens. 
For example, as shown in Fig. [2] when node no is transformed into 
PF form: no = true A 0«i> the occurrence of pY.(p V Q>Y) in n\ is 
due to the unfolding of vZ. O (OipY.(p V OT)) A Z), hence Y does 
not exist in the mark of edge (no, true, n\). 

Note that cases I and II, or I and III (e.g. the occurrence of Y in 
the mark of edge (no, true, no) in Fig. [2]) can occur simultaneously. 
If that happens, we can see that the //-signature w.r.t. X still 
does not increase. In particular, cases II and III cannot happen 
simultaneously since X is bound exactly once. 

Given a formula crX.f, to construct its PFG sometimes we 
need to deal with a formula of the form A"=i C/A,-.</>,-, where each 
1 TjXj.fj £ CL(crX.tp) and i < j implies Xj is higher than Xj, in 
a PF form transformation process. It is straightforward that the 
unfolding of <r n X n .(f> n ensures that the //-signature w.r.t. each X, 
does not increase after the transformation despite the value of 
each (Tj. 

In the following, we use a simple example to illustrate how the 
marks work. 

Example 5. Tracing the infinite unfolding of pX.(p V OX) using 
marks. 

The PF form of pX.(p V QX) is: pX.(p V OX) = p A O true V 
true A O pX.(p V 020- The second disjunct of the PF form leads 
to the generation of edge (no, true, no) in Fig. [3] Then mark (X) 
is added accordingly since pX.(p V 0^0 appears in the future part 
of the PF form and has been unfolded by itself in the PF form 
transformation process. Moreover, it is easy to see that all other 
edges have no marks. Formula pX.(p V 0^0 indicates that the 
atomic proposition p finally holds somewhere and therefore path 
(no, true ) w does not characterize a model. Actually, (no, true) 01 is 
generated by the infinite unfolding of pX.(p V 0^0 an d the infinite 
occurrence of mark {X} on this path describes exactly an infinite 
descending chain of //-signatures for pX.(p V CX)- This is why we 
need to use marks. 

4.3 Paths in PFG 

A path II in a PFG G, t> is an infinite alternate sequence of nodes 
and edges departing from the root node. In the following, we show 
how to establish the relationship between paths in PFG and linear 
time structures. 

Let Atom(/\"' =l q t ) denote the set of atomic propositions or 
their negations appearing in formula A/=i 4‘- Gi ven a P at h II = 
fo, feQifufei, ... in a PFG, we can obtain a corresponding linear 
time structure Atom((fi e o),Atom(<p e \),.... 

Example 6. Paths in Fig. [7] 

1) Path no, true, (n\, p) 01 corresponds to the linear time struc¬ 
ture [truedp] 01 . 

2) Path no, true, (ti 2 , true, n\, p) 01 corresponds to the linear 
time structure [true]({true][p})° 1 . 


Fig. 2. PFG of vZ. O (O (pY.(p V OX» A Z) 
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no: vZ.iiY. 0(pAZV7) 
rii : P A Z ri2: Y 



Fig. 4. Paths in PFG 

Actually, each node in the PFG G^ of formula </> corresponds 
precisely to a consistent subset of CL((f>). In other words, each 
path in G$ characterizes a pre-model 0 , 0 of <l>. A pre-model 
is almost a model except that it ignores the infinite unfolding 
problem for least fixpoint formulas. We can distinguish real 
models from all pre-models using marks. 

4.4 Algorithm for Constructing PFG 

Given a closed vTL formula <f>, the whole process of constructing 
its PFG G,/, is presented in Algorithm [3] 

Algorithm 3 PFGCon(^) 

1 : n 0 = f, = {«oh Eq = 0, isHandled[«o] = 0 

2: while there exists ip e N$ \ [false] and isHandled[i/>] = 0 do 

3: isHandled[^] = 1 

4: <p = PFTran(ip) /*suppose ip = \J k i=x (ip Pi A O <Pf)*/ 

5: for i = 1 to k do 

6: if <p Pi is not false then 

7: E<p = E,/,U {(</>, <p Pi ,tpf)} /*adding edges*/ 

8: AddMark((<^, tp p .,<pf.)) /*obtaining the corresponding 

marks*/ 

9: if tpf i N,i, then 

10: N# = N# U [tpff /*adding nodes*/ 

11: if tpf. is not false then 

12 : isHandled[(^y;.] = 0 /*<pf is a new node which 

needs to be handled*/ 

13: else 

14: isHandled[<^.] = 1 /*<Pf does not need to be 

handled*/ 

15: end if 

16: end if 

17: end if 

18: end for 

19: end while 

20: for all p G Nq with no outgoing edge do 
21: = N# \ [ip] /*eliminating redundant nodes and the 

relative edges*/ 

22 : E# = E </> \\J i {(‘Pi,‘Pe,‘P)} 

23: end for 
24: return G^ 


The algorithm takes <p as input and returns G^,. First, no is 
assigned to f. N# and E$ are initialized to {/7 0 } and empty, respec¬ 
tively. Further, the algorithm repeatedly converts an unhandled 
formula ip e into PF form by algorithm PFTran and then adds 
the corresponding nodes and edges to and E$, respectively, 
until all formulas in N$ have been handled. isHandled ]] is used to 
indicate whether a formula has been handled. If isHandled[ip\ = 0, 
ip needs further to be handled; otherwise, ip has been handled or 
there is no need to handle it. Function AddMark is utilized to mark 


an edge with a subset of variables occurring in </> by distinguishing 
appropriate fixpoint formulas from all fixpoint formulas contained 
in the future part of a certain PF form. 

Algorithm 4 AddMark((^>, ip P: ,pp)) 

1 : for each conjunct <p c of iff do 

2 : if p c is of the form O n crX.ipx and flag[<xX.(£ X ] = 0 then 

3: Mi = Mj U {X} /*M, represents the mark of edge 

<£/;■)*/ 

4: end if 

5: end for 


The input for algorithm AddMark is an edge (<p, tp p .,<pf.) in G 
In the algorithm, flag[] is employed to denote whether a fixpoint 
formula <pfi x appearing in the future part of a PF form has been 
unfolded by a greatest fixpoint formula vY.ipy where Y is higher 
than the variable identifying tpf ix in the PF form transformation 
process. If flag[(pf ix ] = 1, < pf ix is unfolded by vY.tp Y ; otherwise, it 
is unfolded by itself or a least fixpoint formula. For any fixpoint 
subformula crZ.ip su t, of ip, flag[o-Z.ip SI ,i,] is assigned to 0 before i p 
is transformed into PF form. For the input (tp,(p P: ,tpf), AddMark 
checks each conjunct ip c of tpf. If tp c is in the form O n crX.tpx (n > 
0) and flag[crX.ipx ] = 0, X is added to Mj. Here Q" represents 
the consecutive occurrence of O operators for n times and M, 
represents the mark of the edge (</s, ip Pi ,(pf i ). 

Additionally, it is worth pointing out that, throughout the 
construction of G^, a. false node (e.g. p A -i p) may be generated 
which corresponds to an inconsistent subset of CLlf)). Such kind 
of nodes have no successor and are redundant. We use the for loop 
in Line 20 of PFGCon to remove those redundant nodes as well 
as the relative edges. 

Example 7. Constructing the PFG of formula pX.(p V OX) V 
vY.(q A OT) by algorithm PFGCon. 

As depicted in Fig. |T] at the very beginning, the root node 
pX.(p V 021) V vY.(q A OY) is created and denoted by «o; then we 
transform pX.(p V OX) V vY.(q A OY) into PF form: 

pX.(p V OX) V vY.(q A OF) = p A O true V true A OpXfp V Q^0 

V q A O vYfq A OY) 

Accordingly, nodes true, pX.(pY OX) and vY.{q AOY) are created 
and denoted respectively by n i, «2 and n 3 . Meanwhile, edges 
{tio,p,n\), (no,true,nf) and (no,q,nf) are created among which 
(no,true,nf) is marked with {X} and (no,q,n^) with {F}. Further, 
true is transformed into PF form: true = true A O true. Thus, edge 
(n\,true,n\) is created. After that, pX.(p V 0^0 is transformed 
into PF form: pX.(p V OX) = p A O true V true A OpX.(p V 0^0- 
Hence, edges (ti2,p,n\) and (112, true, /I2) are created where ( 722 , 
true,n2) is marked with |X). Finally, vY.(q A OF) is transformed 
into PF form: vF(g A OF) = q A O vY.(q A OF). Accordingly, 
edge ( 773 , < 7 , 773 ) is created with the mark being (F), and the whole 
construction process terminates. 

4.5 Finiteness of PFG 

In the PFG G,/, of formula d> generated by algorithm PFGCon, N, t> 
and £0 are produced by repeatedly transforming the unhandled 
nodes into PF form. Since each node in i\ r ,i, is the conjunction of 
formulas in CL(cf>), the following corollary is easily obtained. 
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Corollary 3. For any closed vTL formula (p, the number of nodes 
in is bounded by 2 0( ^\ and the number of edges in is 
bounded by 2 °^ - 2 °^- 2 °^- 2 °^ (which is also 2 °^), where 
n p and n v denote the number of atomic propositions and fixpoint 
subfornmlas occurring in <p respectively. 

5 Decision Procedure Based on PFG 

In this section we show how to find a model for a given closed vTL 
formula <p from its PFG G,i,. In fact, each outgoing edge of a node 
in G$ amounts to a possible choice prescribed by an underlying 
choice function m■ Since a node cannot have multiple choices 
simultaneously, we restrict ourselves here only to paths ending 
with simple loops in G t!l . Let II be a path in G r!> , for convenience, 
we use LES (II) to denote the set of edges appearing in the loop 
part of II, Mark(E) the mark of edge E, LMS (II) the set of all 
/r-variables occurring in each Mark(Ei) where Ei e LES (II). 

5.1 v-path 

Here we present the notion of v-paths which will play a vital role 
in obtaining the PFG-based decision procedure for vTL. 

Definition 5. Given a PFG G,i, and a path n in G r /„ we call n 
a v-path iff for each X e LMS (n), an edge E e LES (n) can be 
found such that X £ Mark(E) and there exists no X' e Mark(E) 
where X < X'. 

Example 8. v-paths in Fig. [5] 

1) n,: (no, p A q ) 01 . n ; is a v-path since LMS (Hi) = 0. 

2) n 2 : no,true,(n\,true) 01 . We have LES(Il 2 ) = {( n\,true, 
n i)} and LMS (Hi) = {Y,W}. For the first variable Y e 
LMS(Il 2 ), we cannot find an edge from LES(\ L) whose 
mark does not contain Y. So n 2 is not a v-path. 

3) n 3 : no, p,(ii 2 ,true,n\,pf. We have E£S(n 3 ) = {(n 2 , true, 
/zi ), (ii\,p,nf)\ and £MS(n 3 ) = (7 W). For the first vari¬ 
able Y e LMS(H 3 ), we can find an edge («i, /?, « 2 ) e 
LES(n 3 ) whose mark does not contain Y and any vari¬ 
able depending on Y. However, for the second varible 
W e LMS (n 3 ), we cannot find an edge from LES (I [ 3 ) 
whose mark does not contain W. Therefore, I [3 is not a 
v-path. 

4) n 4 : (no, q, n 2 ,p A q) 01 . We have LES (n 4 ) = |(«o, q, nf), ( 713 , 
p A q, «o)} and LMS (n 4 ) = {7). For the only variable 7 e 
LMS(Yh\), we can find an edge (« 3 ,p A q, no) e LES( n 4 ) 


n„: »A>r.(Orv P A OX) A vZ./iW. (OW V q A OZ) 
ny. YAW n 2 : X AW n 3 : Y A Z 



whose mark does not contain 7 and any variable depending 
on 7. Thus, n 4 is a v-path. 

5) n 5 : no,p, (n 2 , true, m, q, ns, true, ni,p) w . We have 

EESHIs) = [(n2,true,n\),(ni,q,nf),(n2,true,n\),(n\,p, 
n 2 )) and LMS(n 5 ) = {7, W). For the first variable 
7 e LMS(Hs), we can find an edge (n\,p,n 2 ) e EES^ 5 ) 
whose mark does not contain 7 and any variable depending 
on 7. Further, for the second varible W e LMS (I [ 5 ), 
we can find an edge (n\,q,nf) e LES ^ 5 ) whose mark 
does not contain W and any variable depending on W. 
Therefore, ns is a v-path. 

Regarding the notion of v-paths, the following theorem is 
formalized. 

Theorem 4. A closed vTL formula (p is satisfiable iff a v-path can 
be found in G$. 

Proof. (=>) Suppose f is satisfiable and no v-path exists in 
G r!> . In this case, for any path Hi in G (4 , there exists at least one 
X e LMS (no such that for each edge E\ e EES(nO, either 
X e Mark(Ei) or X' e Mark(E\ ), where X < X'. 

As a result, we can obtain the following sequence of variables 
according to the sequence of marks in the loop part of Hi: 

X,X u X 2 ,...,X n ,X 

where each X, (1 < i < n) is either X itself or a variable depending 
on X. 

Further, according to the sequence of variables above, we can 
acquire the following sequence of fixpoint formulas: 

pX.tpx, o~X\.(f)\,crX2.(t>2, ■■■, (rX n .(p n ,pX.(p x 

Here each crX,.^,- is identified by X ,■ and pX.cpx by X. Since 
each X, is either X or a variable depending on X, pX.tp x must 
appear as a subformula of each crXj.fj. According to the way the 
marks are added, it can be seen that the above sequence describes 
exactly an infinite descending chain of /r-signatures w.r.t. X. By 
the well-foundedness of /r-signatures we can derive that Hi does 
not characterize a model of f. This contradicts the premise that tj> 
is satisfiable. Therefore, if f is satisfiable, there exists at least one 
v-path in G^. 

(<=) Let n 2 be a v-path in G^. 

When LMS (n 2 ) is empty, no infinite descending chain of p- 
signatures on n 2 can be detected. Consequently, n 2 characterizes 
a model of cf>. 

When LMS(H 2 ) is not empty, we have that for each 7 e 
LMS(Yl 2 ), an edge E 2 e LES(H 2 ) can be found such that 
7 i Mark(E 2 ) and there exists no 7' e Mark(E 2 ) where 7 < 7'. 
Subsequently, for each sequence of variables relevant to 7 ob¬ 
tained according to the sequence of marks in the loop part of n 2 : 

7 7 l5 7 2 ,..., Y m , 7 

We can obtain the following sequence of fixpoint formulas: 

pY.cpY, crYi.fi, crY 2 .(p2, ■ ■ ■, o'Y,„.</> m ,pY.fy 

where there must exist a formula crYj.fj (1 < j < m) in which 
pY.fy does not appear as a subformula. Similarly, we have that n 2 
characterizes a model of <p according to the well-foundedness of 
/z-signatures w.r.t. 7. It follows that when there exists a v-path in 
G^, f is satisfiable. □ 

Consequently, we reduce the satisfiability problem of vTL 
formulas to a v-path searching problem from a PFG. 


Fig. 5. v-paths in PFG 
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no: rZ.(jlX.(OXVvY(pKOY)) A O-Z) " 0 : [tX.(jlY.(p A QV) V 0-^0 

n\\ X !\Z n 2 :Y/\Z n 3 : Y A X A Z rii: Y 



Fig. 6. Examples of PFGs for satisfiability checking 


Example 9. Checking satisfiability of the following formulas. 

(1) vZ.QxXfOX V vK(p A O10) A OZ) 

(2) vX.ip A OX) A vY.i^p A or) 

(3) pX.(pY.(p A or) V OX) 

For formula (1), as depicted in Fig. [6] (a), since a v-path 
no,p, (ni, p,ni, p)^ can be found in its PFG, it is satisfiable. For 
formula (2), as its PFG is empty and contains no v-path, it is 
unsatisfiable. For formula (3), as depicted in Fig. [6] (b), no v-path 
exists in its PFG and hence it is unsatisfiable. 


Algorithm 6 TarjanfG',/,, v) 

1: dfn[v] = low[v] = -H-index 
2: visit[v] = 1 
3: Stack.push(v) 

4: for each edge e 6 E<p where src[e] = v do 
5: if visit[tgt[e]] = 0 then 

6 : Tarjan(G 0 , tgt[e]) 

7: low[v] = min{low[v], low[tgt[e]]) 

8 : else 

9: if tgt[e] is in Stack then 

10 : low[v] = minjlow[v], dfn[tgt[e]]) 

11 : end if 

12 : end if 

13: end for 

14: if dfn[v] = low[v] then 

15: subGraph see 

16: repeat 

17: u = Stack.topO 

18: Stack.popO 

19: scc.push_back(u) 

20 : until v = u 

21 : sccs.push_back(scc) 

22: end if 


5.2 Implementation of the Decision Procedure 

Based on Theorem 0 a PFG-based decision procedure, algorithm 
PFGSAT, for checking satisfiability of vTL formulas is derived. 

Algorithm 5 PFGSAT(^) 

1: G^ = PFGCon(7/>) 

2: if G,;, is empty then 
3: return unsatisfiable 

4: end if 
5: TarjanCG^, n 0 ) 

6: for each see e sees do 

7: SCCNuSearch(v, see) /*v is an arbitrary node in see*/ 

8 : end for 

9: return unsatisfiable 


The algorithm takes a closed vTL formula </> as input and 
returns the result whether </> is satisfiable in the end. To do so, the 
PFG, G,i : ,. of tf> is constructed first. Next, it checks whether G (4 is 
empty: if so, <p is unsatisfiable since no v-path can be found in Gp, 
otherwise, the algorithm will try to find a v-path in G^. Further, 
algorithm Tarjan is employed to compute all strongly connected 
components (SCCs) in G^. Finally, the algorithm checks whether 
there exists a loop in some SCC which corresponds to a v-path by 
algorithm SCCNuSearch : if so, SCCNuSearch will return that f is 
satisfiable; otherwise, </> is unsatisfiable. 

SCC Computation. Tarjan algorithm (27) presented in Algo¬ 
rithm [6] is a classical algorithm for computing SCCs in a graph 
based on depth-first search (DFS). The algorithm takes a PFG G,;, 
and a node v in G^ as inputs and acquires all SCCs in G<p. clfn[ u] is 
employed to represent the timestamp of a given node u indicating 
the number of nodes which have been visited before u is visited, 
while /ow[u] the timestamp of the earliest node reachable from u 
or subtrees of u. Also, we use visit\) to denote whether a node 
u has been visited. If visit]\i] = 1, u has already been visited; 
otherwise, u has not been visited yet. For each node u in G <4 , 
visit] u ] is initialized to 0. src[] and fgf[] are utilized to obtain the 
source and target nodes of an edge, respectively. 


Algorithm 7 SCCNuSearch(v, see) 

1 : NS.push_back(v) 

2: for each edge e in see do 

3: if src[e] = v and visit[e] = 0 then 

4: ES.push_back(e) 

5: visit[e] = 1 

6: if isLoop(tgt[e], pos) then 

7: TES.assign(ES.begin!) + pos, ES.end()) 

8: if isNuPath(TES) then 

9: return satisfiable 

10: end if 

11: ES.pop_back() 

12 : else 

13: SCCNuSearch(tgt[e], see) 

14: end if 

15: end if 

16: end for 

17: if ES.size() > 0 then 
18: ES.pop_back() 

19: end if 

20 : NS.pop_back() 


Path Construction. Given an SCC see in a PFG G (4 and 
an arbitrary node v in see, we use algorithm SCCNuSearch to 
build a path which is likely to correspond to a v-path in G<j. 
Two global variables, ES and NS, are used in the algorithm. 
ES is a vector which stores the sequence of edges aiming to 
construct a path ending with a loop. NS is also a vector storing 
the sequence of nodes corresponding to ES. In addition, src[] and 
tgt\\ are employed to obtain the source and target nodes of an 
edge, respectively. The algorithm uses visit] ] to indicate whether 
an edge e has been visited. If visit[e] = 1, e has already been 
visited; otherwise, e has not been visited yet. For each edge e 
in G^, visit]c] is initialized to 0. isLoop and isNuPath are two 
boolean functions. isLoop determines whether a node u exists in 
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NS and obtains, if so, the position of u in NS. isNuPath determines 
whether a sequence of edges corresponds to a v-path. 


Algorithm 8 isLoopfv, pos) 

1 : counter = 0 

2 : for each node u e NS do 

3: counter++ 

4: if u = v then 

5: pos = counter 

6: return true 

7: end if 

8 : end for 
9: return false 


In algorithm SCCNuSearch, v is added to NS first. After 
that, for each unvisited edge e in see whose source node is v, 
the algorithm adds it to ES and assigns visit] e ] to 1. Then, it 
determines whether fgf[e] exists in NS by means of algorithm 
isLoop. If the output of isLoop is true , there exists a loop in 
ES and we use TES to store the loop of ES. Further, algorithm 
isNuPath is called to decide whether TES corresponds to a v-path. 
If the output of isNuPath is true, the given formula is satisfiable 
and the algorithm terminates; otherwise, the last edge in ES is 
removed and a new for loop begins in order to search for another 
unvisited edge from sec whose source node is v to establish a 
new path. In case the output of isLoop is false, which means 
the current ES cannot construct a path ending with a loop, the 
algorithm calls itself and tries to build new paths from node rgr[e]. 
If the conditional statement in Line 3 is never satisfied, i.e., any 
edge in sec with v being its source node has been visited, v is 
removed from NS. Note that if the size of ES is greater than 0 
when the loop terminates, we need to remove the last edge in ES 
generated by the next level of recursion. 


Algorithm 9 isNuPath(TES) 

1 : for each edge e 6 TES do 

2 : if X e Mark(e) and X is a //-variable then 

3: MS = MS U |V} 

4: end if 

5: end for 

6 : for each V e MS do 
7: for each e' e TES do 

8 : if V e Mark(e') or Y e Mark(e') where V <V' then 

9: C++ 

10 : continue 

it: else 

12: C = 0 

13: break 

14: end if 

15: end for 

16: if c > 0 then 

17: return false 

18 : end if 

19: end for 
20 : return true 


v-path Determination. Given a sequence of edges TES, we 
use algorithm isNuPath to determine whether TES corresponds 
to a v-path. The algorithm uses MS to denote the set of all p- 
variables appearing in each Mark(e) where e e TES. c is a counter 


calculating how many edges in TES have been handled by the for 
loop in Line 7 of algorithm isNuPath and initialized to 0. 

For the input TES, the algorithm first computes the set of p- 
variables MS. For each edge e e TES, if there exists a //-variable 
X e Mark(e), X is added to MS. In this way, MS can be obtained. 
Subsequently, to confirm whether TES corresponds to a v-path, we 
need to seek out an edge e' e TES for each V € MS such that V £ 
Mark(e'), and meanwhile there exists no V' e Mark(e') such that 

V <V'. Further, for the conditional statement in Line 8, if the else- 
branch can never be performed, c will be equal to the size of TES 
when the inner for loop terminates. Consequently, the condition 
in Line 16 is satisfied. That is, false is returned by the algorithm, 
which indicates that TES does not correspond to a v-path. When 
the else-branch is executed, c will be assigned to 0 and then we 
use the break statement to jump out of the inner for loop. In this 
case, the condition in Line 16 cannot be satisfied and the outer for 
loop proceeds to deal with the next //-variable in MS. 

Note that if the else-branch can always be executed for each 

V e MS, the algorithm will finally return true, which means TES 
indeed corresponds to a v-path. 

All the above-mentioned algorithms have been implemented 
in C++. In what follows we exhibit several PFGs generated by 
our tool. 

Example 10. PFGs generated by our tool. 

I. pX.vY.(OX V p A OF) A vZ.pW.(OW V q A OZ) 

II. pX.pYfq A QX V p A OF) A pW.(s V r A OW) 
in. pX.vYfp V 0(X A q) V 0(X A OF)) 

IV. vZ. O (pX.(OX V vY.(p A OF)) A OZ) 

V. vZ.(vX.(p AQX\/ QQZ) ApY.(q AQY Vr A OZ)) A vR.(s A 

OOR) 

In a PFG generated by our tool, when (!) is satisfiable, we 
use a red path to denote the loop found by algorithm SCCNuSearch 
which corresponds to a v-path. Therefore, any path ending with the 
red loop characterizes a model of f. 

As illustrated in Fig. [7] formula I is satisfiable since a v-path 
no,p A q,{rii, p,ni, p A qf 1 is found. The linear time structure, 
{ p,q}({p}{p,q}) a> , obtained according to the v-path is indeed a 
model of formula I since the atomic proposition p eventually 
always holds while q always eventually holds. Similarly, from 
Hi as. [hi ITol and ITTI we can see that formulas III, IV and V are all 
satisfiable. For formula II, as depicted in Fig. [8] no red path exists 
in its PFG. Hence it is unsatisfiable. 



Fig. 7. PFG of formula I 
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Fig. 8. PFG of formula I 



Fig. 9. PFG of formula III 



Fig. 10. PFG of formula IV 



Fig. 11. PFG of formula V 


5.3 Experimental Results 

We have implemented a prototype of our PFG-based decision 
procedure in C++. Given a guarded formula, the prototype is able 
to construct its PFG and find a v-path from the PFG. To evaluate 
the performance of our tool, we compare it with the tool given in 
1151 which is the only tool available for the decision problems of 
vTL. 

In 1151 , the authors have checked the validity of the following 
three families of formulas: Include „, Nester,, and Counter,, on a 
1G memory PC. 

Include,, = vX.( q A Q(q A Q(... Q ( q A O (“'<? A O^)) ■ • •))) -» 

2 n times 

vZ.qY.(^q A QZ V q A 0(q A OT)) 

Nester„ = V -n/r where 

ifj = nX\.vX 2 ./tX 3 .... crX n .(qi V 0(^1 A (q 2 V OGG A... (q„ V 0^,1 

■ • •)))) 

n n 

Counter,, = \j -ic,-V fiX.(OX \/(co +> O _, co)v\y(0c,- +> c,-A-ic,-_i 
1=0 !=1 

Vc,_i A (Oh <-> c,))) 

Include,, describes the property {{aa) n bf > C ((aa)*&)", where 
the alphabet symbol a is the label {q) and b is 0. Note that Include,, 




















































TABLE 1 

Experimental results 


ll 



-^Include,, 

-1 Nester n 

-*Counter n 

n 

Time 

PFG nodes 

PFG edges 

Time 

PFG nodes 

PFG edges 

Time 

PFG nodes 

PFG edges 


(ms) 

(number) 

(number) 

(ms) 

(number) 

(number) 

(ms) 

(number) 

(number) 

0 

0 

6 

18 

— 

— 

— 

0 

2 

2 

1 

31 

17 

39 

0 

1 

1 

0 

4 

4 

2 

63 

28 

64 

31 

10 

30 

16 

8 

8 

3 

124 

39 

85 

1,185 

73 

386 
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16 
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4 
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50 
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128,559 

601 

4,640 

889 

32 

32 

5 

328 

61 

127 

18,075,924 

5,401 

55,419 

5,117 

64 

64 


is not LTL-definable for any n £ N. Nester n is a class of formulas 
with several alternating fixpoint operators. -> Counter „ formalizes 
an (n + l)-bit counter. 

We equivalently check satisfiability of -i Include,,, ->Nester n 
and -i Counter,,. The experiments are carried out on a 1,73GHz, 
Genuine Intel(R) CPU T2080 with 1G of memory. Table Q] 
presents the empirical measures for complexity of the PFG-based 
decision procedure. The columns Time denote the running time 
to decide satisfiability of each formula. The columns PFG nodes 
(resp. PFG edges) represent the number of nodes (resp. edges) 
in the PFG of the corresponding formula. In G5), the running 
time for checking validity of each formula is always around a 
few minutes. In addition, they suffer from the problem of memory 
overflow for formulas Nester 4 , Nester$ and Counter 5 . However, 
the satisfiability in most cases can be decided in less than 1 second 
using our tool. In particular, it takes only about 5 seconds to decide 
satisfiability of -1 Counter*,, while the satisfiability of ->Nestern 
and -iNester^ can be decided in about 2 minutes and 5 hours, 
respectively. Therefore, it can be seen that our method has a better 
performance in practice. 

5.4 Complexity Issues 

In this section we discuss the complexity of the PFG-based deci¬ 
sion procedure. Let (f) be a closed vTL formula, G^ = (N$, E<p, no) 
the PFG of <p, n v the number of fixpoint subformulas appearing in 
<f>. We write \<p\ for the size of <f>, |A^| and \E^\ for the number of 
nodes and edges in G^, respectively. We can obtain, by Corollary 
[3] that both |A^| and \Ef\ are bounded by 2 0(l ^ ) . Regarding <p, we 
have the following lemmas. 

Lemma 5. Algorithm PFTran can be done in 2 0( ^ ) . 

Proof. First of all, it can be seen that the running time of 
PFTran depends mainly on the number of recursive calls for itself 
as well as the running time of algorithm AND. 

The proof proceeds by induction on the structure of <p. 

• Base case: 

- (f> = true, false,<f> p , <p p A Qip (where <p p is of the form 
ALi Ph), or Oip: the lemma holds obviously in these cases. 

• Induction: 

- <p = f \ V fc- by induction hypothesis, PFTran(<p\) and 
PFTran{<t> 2 ) can be finished in 2 CWll) and 2 0(l ' fcl) , re¬ 
spectively. Further, we can see that the running time of 
PFTran(cf>) is 2 0(Wll) + 2 0(fcl) , which is bounded by 2 0{ ^\ 

- f = <f>\ A <f> 2 - by induction hypothesis, PFTran(<p\) and 
PFTranlfo) can be completed in 2 and 2 °^\ re¬ 
spectively. After being transformed into PF form, the 
number of disjuncts in cf>\ (resp. ff) is bounded by 2 0 ( ^‘l ) 
(resp. 2 0( ^ ) ). Hence, algorithm AND can be completed in 


2 W 1 I+W). Further, we can obtain that the overall running 
time of PFTran(c/>) is 2°^ + 2°^ + 2°<W + W\ which 
is bounded by 2 0(W) . 

- <p = crX.ip: we consider only guarded formulas where each 
free occurrence of X in ip must be in the scope of a O 
operator. Regarding X as an atomic proposition, < p can be 
transformed into PF form by algorithm PFTran, which 
can be accomplished, by induction hypothesis, in 2°^. 
Subsequently, by substituting crX.ip for all free occurrences 
of X in ip (which can be done in linear time), we can obtain 
that ip[crX.iflX\ can also be transformed into PF form by 
algorithm PFTran in 2° ( ^ ) . Therefore, the running time of 
PFTranicrX.ip) is bounded by 2 0(l ^ l) in this case. 

It follows that algorithm PFTran can be done in 2 0(l *. □ 

Lemma 6. Algorithm PFGCon can be done in 2 0, ^ ) . 

Proof. The running time of PFGCon depends mainly on three 
parts: (I) generating nodes and edges; (II) adding marks; (III) 
eliminating redundant nodes and the relative edges. In part I, since 
|/Vy is bounded by 2° ( ^ ) , the number of iterations in Line 2 is 
bounded by 2 0( ^ ) . In each iteration, algorithm PFTran is called, 
which can be finished in 2° ( ^ ) according to Lemma [5] Next, 
after the PF form transformation, we can see that the number of 
iterations in Line 5 of PFGCon is bounded by 2°^*. Hence, part 
I can be finished in 2 0(l ^ l) . In part II, \Ef\ is bounded by 2 0(l ^ l) . 
For each edge in E^, we need to obtain its mark information. 
Algorithm AddMark checks if a fixpoint formula, which has 
been unfolded by itself or a least fixpoint formula in a PF form 
transformation process, exists in the future part of the PF form and 
can be completed in Oi\(f>\). Therefore, part II can be completed in 
2°(WI). Further, part III can apparently be finished in 2 0(W) . Thus, 
based on the above analysis, the overall running time of PFGCon 
is in 2 0<l ^ l) . □ 

Lemma 7. Algorithm Tarjan can be done in 2°^. ( (27)) 

Lemma 8. Algorithm isNuPath can be done in 2 0(l ^ , . 

Proof. In Line 1, the number of iterations is bounded by 2 0( ^ ) . 
In Line 2, the conditional statements X £ Mark(e) and X is a 
/i-variable can be determined in 0 (n v ) and 0(1), respectively. 
Further, the number of iterations in Line 6 (resp. Line 7) is 
bounded by 0{n v ) (resp. 2°^). For each /i-variable V p appearing 
in <p, we maintain a list of variables depending on V p . In this 
way, the conditional statement in Line 8 can be decided in 0{nf). 
Therefore, algorithm isNuPath can be done in 2° ( ^ ) . □ 

Lemma 9. Algorithm SCCNuSearch can be done in 2 0( ^ ) . 

Proof. Since each edge in the input see is handled exactly once, 
the total number of recursive calls for SCCNuSearch is bounded 
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by 2 0( ^ l) . In Line 2, the number of iterations is also bounded by 
20(WI) Subsequently, algorithm isLoop and isNuPath are called as 
the conditional statements in Lines 6 and 8 and both of them can 
be determined in 2 0(l ^ l) . It follows that algorithm SCCNuSearch 
can be done in 2 0( ^’. □ 

Theorem 10. The decision procedure PFGSAT can be done in 
2 ot|0|) 

Proof. This theorem is a direct consequence of Lemmas [5]|9] □ 

As far as we know, the current best time complexity for the 
decision problems of vTL is 2 0(l ^" log ^ |) due to (T3l . fT4l , fl5l and 
our PFG-based decision procedure noticeably improves it to 2 0(l '^ ) . 
However, the price to pay for the improvement is exponential 
space. 

Remarks. Building the PFG for a given formula is similar 
to the process of constructing the tableau for that formula. The 
main difference is that marks are technically added during the 
PFG construction. How to add marks is guided by the condition 
that whether or nor the unfolding of the corresponding formulas 
will increase the //-signature with respect to some variable in 
a PF form transformation process. As a result, we can detect 
non-well-foundedness of the unfolding of least fixpoint formulas 
within a PFG. The existing decision procedures, i.e. ED, usually 
need to construct an automaton to check non-well-foundedness. 
Therefore, the complexity of those methods is mainly influenced 
by the results from automata theory. With our method, the satis¬ 
fiability of a formula can be simply decided through the PFG of 
the formula. Since our method is independent of the results from 
automata theory, we obtain a faster decision procedure. However, 
we have to use the information of the whole PFG when deciding 
satisfiability of a formula, hence our method can no longer be done 
in polynomial space. 

6 Model Checking Based on PFG 

In this section, we use Kripke structures as models to demonstrate 
how the PFG-based model checking approach for vTL is achieved. 

6.1 Kripke Structure 

Let AP be a set of atomic propositions. A Kripke structure l28l 
over AP is defined as a quadruple M = (S, So,R,I) consisting of: 

• a finite set of states S, 

• a designated initial state sq e S, 

• a transition relation R Q S x S where R is total, i.e. V,v e 
5,3/6 5, (s, s') 6 R, 

• a labeling (or interpretation) function 7 : 5 —> 2 AP defining 
for each state s € S the set of all atomic propositions valid 
in s. 

A path of M is an infinite sequence of states p = 5o, s i, $ 2 . ■ • 
departing from the initial state so, such that for each i > 0, 
(Sj, Si+i) € R. The word on p is the sequence of sets of atomic 
propositions w = I(sq),I(si), I(S 2 ), • • • which is an ai-word over 
alphabet 2 AP . 

We need to take all paths in a Kripke structure into consider¬ 
ation in terms of the model checking problem for vTL. Given a 
Kripke structure M and a property 4> specified by a vTL formula, 
we say M |= tp iff every path in M satisfies <p. However, when 
determining whether M \= <p, for simplicity, we usually check 
whether there exists a path in M satisfying -up: if not so, we have 
M \= <j>\ otherwise, M (p and we can obtain a counterexample. 


In the previous section, we have presented a decision proce¬ 
dure for checking satisfiability of the guarded fragment of vTL 
formulas based on PFG. Therefore, according to the decision 
procedure, we are able to formalize a PFG-based model checking 
approach for vTL. To do so, first, it is essential to construct the 
product of a Kripke structure and a PFG. 

6.2 Product Graph 

Let M = ( S,sq,R,I ) be a Kripke structure, G$ = (A^Zt^no) 
the PFG of formula (p, and AP the set of atomic propositions 
over M and <p. The product of M and G$ is defined as a triple 
Gmx^ = (V E, v 0 ) where: 

• V Q 5 x is a set of nodes. 

• E c V x Q x V is a set of edges, where Q is the label of 
an edge between two nodes. Each (( Sj , (/>,), <2,-, (sj, tpfi) 6 E 
satisfies three conditions: (1) ( Sj,Sj ) 6 R, (ipj,tp e ,tpj) 6 E 
(2) Qi = tp e \ (3) ((s,-,</>,), Qj,(Sj,(pj )) has the same mark as 

• In particular, Vo = (so,«o) is the root node. 

In a product graph Gmx</>, a node is called a dead node if it 
has no outgoing edge. A finite path Q. = Vo. Go, Vi, Gi> • • •, V* 
in Gmxc/> is a finite alternate sequence of nodes and edges starting 
from the root node while ending with a dead node. An infinite path 
Q = Vo, Go, Vi, Gt,- • ■ in G v/xr/, is an infinite alternate sequence of 
nodes and edges departing from the root node. 

Given a Kripke structure M = (5, so,R,I) and the PFG G,i, = 
(A^.Zs^.no) of a formula <p, we use algorithm PGConstruction to 
construct their product. 


Algorithm 10 PGConstruction(M, G<p) 

1: v 0 = (5o, no), V = (vo), E = 0, h[vo] = 0 
2: while there exists v = (.v, if ) 6 V and h[v] = 0 do 
3: h[v] = 1 

4: for each ( 5 , 5 ') 6 R and (ip, ip e , ip’) 6 E# do 

5: if LabelCheck( s, <p e ) then 

6: E = £U{((j, ip),ip e , (s', ip'))} /*the newly added edge 

has the same mark as edge (ip, ip e ,ip') in G^*/ 

7: if (s',ip') i V then 

8: V=VU {(/,(/>')} 

9: h[(j', <//)]= 0 

10 : end if 

li: end if 

12 : end for 

13: end while 
14: return G MX 0 


The algorithm takes M and G^ as inputs and returns the 
product graph Gmx$ in the end. The root node, vo, of Gmx< t> is 
assigned to (j 0 ,no)- Moreover, the set of nodes V and the set of 
edges E in Gmx<p are initialized to (vo) and empty, respectively. 
The algorithm repeatedly checks whether the construction could 
proceed on an unhandled node v 6 V using boolean function 
LabelCheck, and then adds, if so, the corresponding nodes and 
edges to V and E, respectively, until all nodes in V have been 
handled. //[] is utilized to indicate whether a node has been 
handled. If h\ v] = 0, v needs to be further handled; otherwise, 
v has already been handled. 
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Algorithm 11 LabelCheckf.y, ip,,) 

1: if tp e is true then 
2 : return true 

3: end if 

4: for each conjunct p of ip e do 

5: if p is p and p e I(s), or p is ->p and p £ I(s) then 

6 : continue 

7: else 

8 : return false 

9: end if 

10: end for 
11: return true 



Fig. 13. Product of M 0 and G #0 


Given a node v = (s, < p) e V, we use algorithm LabelCheck 
to determine if the construction could continue from a transition 
( s, s') e R and an edge (ip, ip e , <p') e E$. If tp e = true , the output of 
LabelCheck is true; otherwise, for each conjunct p of ip e , where p 
denotes an atomic proposition or its negation, if p is p and p e I(s) 
(resp. p is -ip and p £ I(s)), the output of LabelCheck is true. In 
all other cases, the output of LabelCheck is false. Note that when 
an edge (( 5 , ip), ip e ,(s’,tp’)) is added to E, it retains the mark of 
edge (p,<p e ,tp') in G 0 . 

Similar to the representation of a PFG, in a product graph, we 
also use a double circle to denote the root node and a single circle 
to denote each of other nodes. Each edge is denoted by a directed 
arc connecting two nodes. A mark is placed behind the label of an 
edge if it exists. 

Example 11. Constructing the product of Kripke structure Mq 
and the PFG of formula tf> 0 .' Q)vX.(p A C)X) by algorithm PGC 011 - 
struction. 


all nodes have been handled and the whole construction process 
terminates. 

6.3 v-paths in Product Graph 

To formalize the PFG-based model checking approach for vTL, 
we apply the definition of v-paths in PFGs to the product graphs. 
Similarly, we concentrate only on paths ending with loops in 
a product graph. Given an infinite path O in a product graph, 
for convenience, we use LES mc(Q) to denote the set of edges 
appearing in the loop part of Q, Mark M c(e) the mark of edge e, 
LMS mc(^) the set of all //-variables occurring in each Mark M c(ei) 
where e, e LES MC (F2). I n addition, we use FCom(fl) to denote the 
sequence of the first component of each node on f2 and S Com(il) 
the alternate sequence of nodes and edges in the original PFG 
corresponding to the sequence of the second component of each 
node on Q. 


As illustrated in Fig. |T3] at the very beginning, the root node 
(sq, no) is created and handled first by the algorithm. For the 
transition ( so, Si) in Mo and the edge (no, true, n{) in G# 0 , since the 
label of (no, true, n\) is true, the output of algorithm LabelCheck 
is true. Therefore, node (si,ni) and edge ((so,no), true, (ji,«i)) 
are created. Similarly, for the transition (so, S 3 ) and the edge 
(no,true,m), node (s 2 ,ni) and edge ((so,no),true,(s 3 ,n{)) are 
created. 

Next, the algorithm deals with the node (si,ni). For the 
transition (si,S 2 ) in ^0 and the edge (n\,p,n\) in G^ 0 , since 
p € I(s 1 ), the output of algorithm LabelCheck is true. Therefore, 
node (S 2 ,ni) and edge ((s\,n\), p,(so,n\)) are created. Moreover, 
((si,ni),p, (s 2 ,n\)) is marked with {A}. 

Subsequently, the node (S 3 ,«i) is handled by the algorithm. 
For the transition (S3, S3) in Mo and the edge ( n\,p,ri\) in G^ 0 , 
since p e /(S3), the output of algorithm LabelCheck is true. Thus, 
edge ((S3, ni), p, (S3, /?i)) is created and marked with {X}. 

Further, the algorithm deals with the node (S 2 ,n\). For the 
transition (S 2 ,Si) in Mo and the edge (n\,p,n\) in G/, 0 , since p £ 
I(s 2 ), the output of algorithm LabelCheck is false, which indicates 
that the construction cannot proceed on node (S 2 ,«i). By now, 



n 0 : OvX.(pAO x ) 

n\\ X 


GO 


Definition 6. Given a Kripke structure M and a closed vTL 
formula (f>. An infinite path Q in Gmx<p is called a v-path iff for 
each X e LMS mc(Q)> an edge e e LES mc(Q) can be found such 
that X £ Mark M c(e) and for any X' with X<X', X' £ Mark M c(e). 

Example 12. v-paths in product graph. 

1) Gi: (so,no), true, (S 3 , W 2 ),P,((s 3 ,«i), q/\p) u . Oi is a v-path 
since LMS mc(^i) = 0. 



vZ.fjOC.tp AO9VOMAOZ) 


true, {X, Z} 



n 0 : Z 
n\: q A Z 
U2'. X AZ 


jAp,{Z} P>{Z} true,{X,Z } 


m 



Fig. 12. Kripke structure M 0 and the PFG of tpo 


Fig. 14. Examples of v-paths in product graph 
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2) 0 2 : (so,no), true, ((si,n 2 ), true, (s 2 ,n 2 ), true) 01 . We have 

LESmc(Q 2 ) = {((s\,n 2 ), true, (s 2 ,n 2 )),((s 2 ,n2), true, 

(£ 1 , 7 / 2 ))} and LMS = {X}. For the only vari¬ 
able X £ LMS mc(^ 2 ), we cannot find an edge from 
LESmc(Q 2 ) whose mark does not contain X. So 0 2 is 
not a v-path. 

3) O 3 : (so, no), true, ((so, 112 ), p, (so,ni)^) 01 . We have 

LES M c(Q 3 ) = {((so,n2),p,(so,ni)),((so,ni),q,(so,n 2 ))} 
and LMS mc(Q 3 ) = {X}. For the only variable 

X £ LMSmc(Q 3 )' we can find an edge ((so,n 2 ),p, (so, nff) 
£ LESmc(Qi) whose mark does not contain X and any 
variable depending on X. Therefore, Q 3 is a v-path. 

Regarding the notion of v-paths in a product graph, the 
following theorem is formalized. 

Theorem 11. Given a Kripke structure M and a closed vTL 
formula (/>. We have M \= <p iff no v-path exists in Gmx-./.- 

Proof. (=>) Suppose M \= f and there exists a v-path, D|, in 

When LMS mc(^i) is empty, no infinite descending chain of 
//-signatures on SCom (Qi) can be found. Thus, we have that 
SCom(Qi) characterizes a model of -i</>. That is, FCom(0\) is 
a model of -n/>, which contradicts the premise that M \= <f>. 
Therefore, no v-paths exist in Gmx-./. in this case. 

When LMS mc(Q 1 ) is n °t empty, we can obtain that for each 

Y E LMS mc(Q 1 ), an edge e\ £ LES mc(Q 1 ) can be found such that 

Y i Mark M c(e\) and there exists no Y' £ Mark M c(e 1 ) where Y < 
Y'. Therefore, we can acquire the following sequence of variables 
relevant to Y according to the sequence of marks in the loop part 
of Dj: 

Y,Y u Y 2 ,...,Y m ,Y 

Further, we can obtain the following sequence of fixpoint 
formulas accordingly: 

pY.<p Y ,crY l .(f> l ,crY 2 .(l> 2 , ■ ■ ■ ,crY m .<f> m ,pY.<f Y 

where there must exist a formula crYj.ipj (1 < j < m) in which 
pY.fy does not appear as a subformula. By the well-foundedness 
of ^-signatures w.r.t. Y, we have that SCom(0 1 ) characterizes a 
model of -1 <f. In other words, FCom(0\) is a model of -yf, which 
contradicts the premise that M \= f. It follows that when M \= (f>, 
there exists no v-path in Gmx -.</>■ 

( 4 =) Let 0 2 be an arbitrary path in Gmx -«/• 

When 0.2 is finite, by Theorem[4]we know that S Com(0 2 ) does 
not characterize a model of ->0. That is, any path in M prefixed by 
FCom( 02 ) is a model of f in this case. 

When Oi is infinite, there exists at least one X £ LMS 
such that for each edge e 2 e LESmcC^-i), either X £ Mark M c( e 2 ) 
or X' £ Mark M c(e 2 ) where X < X'. As a result, we can obtain 
the following sequence of variables according to the sequence of 
marks in the loop part of FT • 

X,X u X 2 ,...,X n ,X 

where each Xj (1 < i < n) is either X itself or a variable depending 
on X. 

Further, we can obtain the following sequence of fixpoint 
formulas accordingly: 

pX.fx, crX l .(f> l ,crX 2 .(p 2 , ■ ■ ■, vX n .f>„,pX.fx 

where each is identified by X,- and pX.fx by X. Since each 

Xj is either X or a variable depending on X, pX.fx must appear 



Fig. 15. Model checking based on PFG 

as a subformula of each crXj.fj. Therefore, it can be seen that the 
above sequence describes exactly an infinite descending chain of 
//-signatures w.r.t. X. By the well-foundedness of //-signatures, we 
have that S Com(0 2 ) does not characterize a model of -i0. That is, 
FCom( 02 ) is a model of (f>. It follows that when there exists no 
v-path in Gmx-,c/>, M \= <p. □ 

As a result, we reduce the model checking problem of vTL to 
a v-path searching problem from a product graph. According to 
Theorem QT| we propose the PFG-based model checking process 
for vTL, as illustrated in Fig. ED 

In Fig. Q3] function PGReduction is employed to remove all 
dead nodes and the relative edges from the product graph Gmx -«/, 
while function NuSearch is used to find a v-path in Gmx-^q- If no 
v-path exists in Gmx we have M \= <fr, otherwise, M f and a 
counterexample can be obtained. 

In the following we use a couple of examples to demonstrate 
how the PFG-based model checking approach works. 

Example 13. Checking whether Kripke structure M\ satisfies 
property (/)].- pX.(p V 0^0 A vY.(q A O O Y). 

Here cp describes the property that p finally holds and q holds 
on every even position. The product of M\ and G-.^, is shown in 
Fig. o First, we eliminate all the dead nodes and the relative 

</>!■■ rX(j> V CW) A vY.(q AOOb 
vX-Op a OX) V pY-Oq V O O Y) 
no: vX.(-,p A OX) V pY.(-,q V O O Y ) 
nit X n^'. true 713: Qy n±: Y 




Fig. 16. Mi and the PFG of -x/n 
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Fig. 17. Product of M\ and G^, 





Fig. 18. M 2 and the corresponding product graph 



Fig. 20. Product of M } and G^ 2 

6.4 The Model Checking Algorithm 

In this section we present a sketch, algorithm MCPFG, of how the 
PFG-based model checking approach is realized. 


edges from the product graph. After that, we try to find a v-path in 
the remaining graph. Since a v-path (highlighted in red) is found, 
we can obtain that M\\fi cp and path sq, £ 2 , £ 3 , (£ 2 . £ 3 )“ in Mi is a 
corresponding counterexample. 

Next, we consider Kripke structure M 2 , as depicted in Fig. 1181 
for the same property above. Since no v-path can be found in the 
product of M 2 and G ^, we can obtain that M 2 |= <p- 

Further, let us consider a more complicated example. 

Example 14. Checking whether Kripke structure M 3 satisfies 
property <f> 2 '- vX.pY.(QY V p A 0-^0 V vZ.(q A O O Z). 


Algorithm 12 MCPFG(M, <b) 

1 : G -,0 = PFGCon(-i^) 

2: Gmx-.^ = PGConstruction(M, G-,^) 

3: Gmx-,</> = PGReduction(GMx^) 

4: if Gmx-«/> is empty then 
5: return M \= </> 

6 : end if 

7 : MCTarjan(GMx^, vo) 

8 : for each C £ CS do 

9: NuSearch(v, C ) /*v is an arbitrary node in C*/ 

10 : end for 
11 : return M \= cf> 


The product of M 3 and G-,^, is illustrated in Fig. |20| We 
can see that M 3 cj )2 and path £ 0 , £ 2 , £ 3 , (£ 3 )“ in M 3 is a 

counterexample. 


fc. »X(ir. (or v p a 0£) v »?.(? a O O 2 ) 

-xh: IlX.vY.tOY A (-V V OX)) A pZ.Oq V O O Z) 
n„ : /iX^tor A N> V OX)) A »z.oq V O O Z) 
m: Y U2'. Y AX 713: Y A Q)Z 714: Y AX A Q)Z 
715: Y A Z n&: Y A X A Z 

/ S3 

Ms Q 



The algorithm takes a Kripke structure M and a property 
cp, specified by a closed vTL formula, as inputs and eventually 
returns the result whether M |= <p. To do so, the PFG, G^, of 
is constructed first by algorithm PFGCon. Next, the product 
of M and G-,^ is constructed by algorithm PGConstruction and 
then reduced by algorithm PGReduction (as shown in Algorithm 
[H. If the reduced product graph Gmx^ t is empty, we have 
M f= (f> since no v-path can be found in Gmx^', otherwise, the 
algorithm will try to find a v-path in Gmx -. 0 - Further, algorithm 
MCTarjan is employed to compute all SCCs in Gmx-.^- Finally, the 
algorithm checks whether there exists a loop in some SCC which 
corresponds to a v-path by algorithm NuSearch: if so, NuSearch 
will return that M <f> and a corresponding counterexample can 
be obtained; otherwise, M \= cp. 


Algorithm 13 PG Red u ctio n (G Wx ) 

1 : for all v £ V with no outgoing edge do 

2 : V = V \ {v} /*eliminating dead nodes and the relative 

edges*/ 

3: E = E \ U/f(t 7 , Qi, v)} 

4: end for 
5: return G Mx ^ 



Fig. 19. M 3 and the PFG of -^ 2 
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Note that algorithm NuSearch uses boolean function isNu to 
determine whether a sequence of edges in Gmx -4 corresponds to 
a v-path. Algorithms MCTarjan, NuSearch and isNu are similar 
to algorithms Tarjan, SCCNuSearch and isNuPath, respectively, 
except that we consider product graphs here instead of PFGs. 

6.5 Complexity Issues 

In this section we discuss the complexity of the PFG-based 
model checking approach for vTL. Let M = ( S,sq,R,I ) be a 
Kripke structure, (!) a property specified by a closed vTL formula, 
G-,^ = |AL(j, E-q, n 0 ] the PFG of ->(p, and N v (resp. N p ) the number 
of fixpoint subformulas (resp. atomic propositions) appearing in <p. 
We write |5 | (resp. \R\) for the number of states (resp. transitions) 
in M, \<p\ for the size of <p, and |AL,^| (resp. \E^\) for the number 
of nodes (resp. edges) in G^, respectively. Note that |S| is no 
larger than \R\ since R is total. According to Corollary [3] it is 
easy to see that both |ALJ and \E-«p\ are bounded by 2° (l ^ l) . 
Therefore, the number of nodes (resp. edges) in Gmx^</> is bounded 
by 0(|S |) • 2 0(W) (resp. 0(|R|)-2 O( W). Regarding M and cp , we have 
the following lemmas. 

Lemma 12. Algorithm PGConstruction can be done in 0( .S' 2 ■ 
\R\) ■ 2 0(l «. 

Proof. For each unhandled node v in Gmx- 4 , the algorithm 
checks whether new nodes and edges can be generated due to v. 
Therefore, the number of iterations of the while loop is bounded 
by 0(|5 |)- 2 °^D. Next, it is easy to see that the number of iterations 
of the for loop is bounded by 0(|R|) • 2°^\ In each iteration of 
the for loop , function LabelCheck is called to decide whether the 
construction could proceed on the node currently being handled, 
which can apparently be finished in 0{N 2 ). Further, the conditional 
statement in Line 7 of PGConstruction can be determined in 
0(151) ■ 2 0< ^ ) . Therefore, algorithm PGConstruction can be done 
inO(|5| 2 -|R|)-2 0(l «. □ 

In addition, the following lemma is straightforward. 

Lemma 13. Algorithm PGReduction can be done in 0(\S \ ■ |/?|) • 
2CWI). 

Lemma 14. Algorithm MCTarjan can be done in 0(|5 |+|R|)-2 0< ^\ 
namely 0(|R|) ■ 2° m . ( ft27ft ) 

Lemma 15. Algorithm isNu can be done in 0(|R|) • 2 °W>. 

Proof Let ES mc be the input to isNu where ES mc is a 
sequence of edges in Gmx- 4 - The algorithm first obtains the set of 
//-variables, MU, occurring in each Mark M c( e ) where e e ES mc , 
which can be completed in 0(|R|) ■ 2 0( ^ ) . Subsequently, for each 
V € MU, the algorithm tries to find an edge e' e ES mc satisfying 
the following condition: V t Mark M c( e') and V' i Mark M c(e') 
where V < V'. By maintaining, for each //-variable Y appearing in 
->cp, a list of variables depending on Y, it is not hard to see that this 
condition can be decided in 0{Ny). Therefore, the running time of 
this part is in 0(|R|) ■ 2 0(W) . It follows that algorithm isNu can be 
done in 0(|R|) • 2 ° m . □ 

Lemma 16. Algorithm NuSearch can be done in 0(|R| 3 ) ■ 2 0< ^\ 

Proof Let v and C be the inputs to NuSearch where C is an 
SCC in Gmx^q and v is a node in C. The algorithm calls itself 
recursively to build a path starting from v which is likely to 
correspond to a v-path in Gmx^</>- Since each edge in C is handled 
exactly once, the total number of recursive calls for NuSearch is 


bounded by 0(|R|) • 2° (I(S|1 . Further, for each unvisited edge e in 
C which takes the input node as its source node, the algorithm 
adds e to a vector EV and then checks whether there exists a loop 
in EV. It is obvious that checking the existence of a loop can be 
completed in 0(|51) • 2° ( ^ ) . If such a loop does exist, the algorithm 
calls isNu to determine whether it corresponds to a v-path, which 
can be accomplished in 0(|R|) • 2 °^ by Lemma IT5l otherwise, 
a recursive call is made. Therefore, this part can be finished in 
0(|5| • \R\ + |R| 2 ) • 2 0(l «, namely 0(\R\ 2 ) ■ 2° m . It follows that 
algorithm NuSearch can be done in 0(|R| 3 ) ■ 2 0(l *. □ 

Theorem 17. The model checking algorithm MCPFG can be done 
in 0(|5| ■ |R| 3 ) ■ 2 0<l ^ l) . 

Proof. Since the total number of SCCs in Gmx is bounded 
by 0(|S|) ■ 2 0(|1 ®, by Lemmas l6l and IT2lfT6l we can obtain that 
algorithm MCPFG can be done in OflS | • |R| 3 ) ■ 2 0<l ^ l) . □ 


7 Related Work 

The major milestone of the decision problems for modal //- 
calculus is made by Streett and Emerson OH who introduce the 
notions of choice functions, signatures and well-founded pre¬ 
models, and apply automata theory to check satisfiability. They 
show that a formula is satisfiable iff it has a well-founded pre¬ 
model. Two automata, PA and 13. are used in their decision pro¬ 
cedure. PA checks the consistence of pre-models while S detects 
non-well-foundedness of least fixpoints. The decision procedure 
is finally achieved by doing an emptiness test for the product 
automaton PA x £>. Related methods ED, ED translate a formula 
into an equivalent alternating tree automaton and then check for 
emptiness. 

In 0, Vardi first adapts Streett and Emerson’s method to 
vTL with past operators. In his work, two-way automata are 
used to deal with the past operators and an algorithm running 
in 2 0< ^ 1 is obtained eventually. In (111 . Banieqbal and Barringer 
show that if a formula has a model, then it is able to generate 
a good Hintikka structure which can be further transformed into 
a good path searching problem from a graph. Their algorithm is 
equivalent in time complexity to Vardi’s but runs in exponential 
space. 

Stirling and Walker Il2ll first present a tableau characterisation 
for vTL’s decision problems. However, they do not give any 
complexity analysis due to the complicated success conditions. 
Later, Bradfield, Esparza and Mader 113ft improve the system of 
Stirling and Walker by simplifying the success conditions for a 
tableau. In their system a successful terminal is determined by the 
path leading to it, whereas Stirling and Walker’s method requires 
the examination of a potentially infinite number of paths extending 
over the whole tableau. Using standard results from complexity 
theory, they obtain an algorithm running in 2 0, ^~ log l<^l) _ Moreover, 
their system uses a couple of similar notions in 1141 but gets rid 
of the use of recurrence points which will lead to a significant 
increase in the number of possible tableaux for a given root. 
A tableau system for modal //-calculus which does not rely on 
automata theory is given in 129ft where the notion of names is 
used to keep track of the unfolding of fixpoint variables. In l30l . 
a tableau calculus for deciding satisfiability of arbitrary formulas 
is presented based on a new unfolding rule for greatest fixpoint 
formulas which allows unguarded formulas to be handled without 
an explicit transformation into guarded form. 
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In [mi, Dax, Hofmann and Lange present a simple proof 
system for vTL. In the system, a sequent is a subset of the closure 
of a formula <p and semantically stands for the disjunction of 
elements in the closure. A pre-proof for ^ is a possibly infinite 
tree whose nodes are labeled with sequents, whose root is labeled 
with I- (f>, which is built by the corresponding proof rules. For an 
infinite branch n in a pre-proof for (f>, they define the notion of 
v-threcids contained in n. Moreover, they show that a proof for cf> 
is a pre-proof where every finite branch ends with a true sequent, 
and every infinite branch contains a v-thread. To check if there 
exists a proof for cf> (or validity of <f>), they use a nondeterministic 
parity automaton to accept exactly the branches which contain 
a v-thread, and a deterministic Btichi automaton S,/, to accept all 
the words which form a branch in a pre-proof for <f>. Further, 
they prove that for any vTL formula < p, L(S^) c L(^) iff h <f>. 
Therefore, it suffices to check the language D UJAq) for 

non-emptiness, which can be done in PSPACE 1311 . Depending 
on which complementation procedure is used they obtain an 
algorithm running in 2 c ' (|d>l ” lo sl^P and implement it in OCAML. 

In our method, given a formula (f >, by repeating PF form 
transformations, we build the PFG G (4 describing the possible 
models of cf>. The process of constructing G$ guarantees that 
each node in G^ corresponds to a consistent subset of CL(i/)). 
Meanwhile, during the construction, we technically add marks to 
which will be used to trace the infinite unfolding problem, 
i.e. non-well-foundedness, for least fixpoint formulas. Based on 
those marks, we define the notion of v-paths and show that cf> 
is satisfiable iff a v-path is contained in G^. Therefore, we no 
longer need an automaton to detect non-well-foundedness of least 
fixpoint formulas. Since our method avoids the use of any result 
from automata or complexity theory, we obtain a faster procedure. 
However, when checking satisfiability of a formula, we need to 
store the whole PFG of the formula. Thus, our method runs in 
exponential space. 


8 Conclusion 

In this paper, we have proved that every closed vTL formula can 
be transformed into a PF form whose future part is the conjunction 
of elements in the closure of a given formula. We have presented 
an algorithm for constructing PFG and a decision procedure for 
checking satisfiability of the guarded fragment of vTL formulas 
based on PFG. Also, we have implemented the decision procedure 
in C++. Experimental results show that our procedure performs 
better than the one given in OD. Moreover, we have proposed a 
model checking approach for vTL based on PFG. Compared with 
the existing methods for checking satisfiability of vTL formulas, 
our decision procedure has several advantages: (1) it does not rely 
on automata theory by considering PFGs; (2) it is more efficient 
in time and practical meanwhile; (3) it gives good insight into 
why and how a given formula is satisfiable through its PFG; (4) it 
visually reflects that why a path is a counterexample through the 
corresponding product graph when a Kripke structure violates a 
property. 

In the near future, we intend to improve the performance of our 
decision procedure by technically choosing outgoing edges when 
trying to find a v-path. We will also develop a practical PFG-based 
model checker for vTL and do some further case studies for more 
complex systems and properties. 
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